Closed
Bug 468538
Opened 16 years ago
Closed 16 years ago
Crash [@ nsParser::ParseFragment] setting innerHTML in mixed-content document
Categories
(Core :: DOM: HTML Parser, defect)
Core
DOM: HTML Parser
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: jruderman, Assigned: bent.mozilla)
References
Details
(6 keywords, Whiteboard: [sg:dos] null deref)
Crash Data
Attachments
(3 files, 1 obsolete file)
384 bytes,
application/xhtml+xml
|
Details | |
1.16 KB,
patch
|
mrbkap
:
review+
mrbkap
:
superreview+
|
Details | Diff | Splinter Review |
1.36 KB,
patch
|
samuel.sidler+old
:
approval1.9.0.11+
|
Details | Diff | Splinter Review |
ML Parsing Error: prefix not bound to a namespace
Location:
Line Number 1, Column 1:
<xul:box><div xmlns="http://www.w3.org/1999/xhtml">
^
###!!! ASSERTION: ParseFragment requires a fragment content sink: 'fragSink', file /Users/jruderman/central/parser/htmlparser/src/nsParser.cpp, line 2073
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../../dist/include/xpcom/nsCOMPtr.h, line 796
Regression from bug 460437, perhaps?
Assignee | ||
Comment 1•16 years ago
|
||
Most likely.
Assignee: nobody → bent.mozilla
Status: NEW → ASSIGNED
Flags: blocking1.9.1?
Assignee | ||
Comment 2•16 years ago
|
||
So... This fixes the crash. But it's kinda ugly.
Basically Parse() is failing but returning NS_OK. I think that is the real problem, but I can't imagine how much other code might depend on that currently. So this may be the simplest thing to do for now. mrbkap, what do you think?
Attachment #352020 -
Flags: superreview?(mrbkap)
Attachment #352020 -
Flags: review?(mrbkap)
Comment 3•16 years ago
|
||
Comment on attachment 352020 [details] [diff] [review]
Patch, v1
I'd rather not do this if possible. Calling into the parser when no sink is null is a dangerous proposition at best. Can we, instead detect that the sink became null after the call to parse (assert that this is the XML mode) and bail early if so?
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Assignee | ||
Comment 4•16 years ago
|
||
Attachment #352020 -
Attachment is obsolete: true
Attachment #353134 -
Flags: superreview?(mrbkap)
Attachment #353134 -
Flags: review?(mrbkap)
Attachment #352020 -
Flags: superreview?(mrbkap)
Attachment #352020 -
Flags: review?(mrbkap)
Updated•16 years ago
|
Attachment #353134 -
Flags: superreview?(mrbkap)
Attachment #353134 -
Flags: superreview+
Attachment #353134 -
Flags: review?(mrbkap)
Attachment #353134 -
Flags: review+
Comment 5•16 years ago
|
||
Comment on attachment 353134 [details] [diff] [review]
Patch, v1.1
Yeah, let's try this.
Assignee | ||
Comment 6•16 years ago
|
||
Pushed changeset 324151b8a4b9 to mozilla-central.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 7•16 years ago
|
||
Pushed changeset 445c44c3c804 to mozilla-1.9.1
Keywords: fixed1.9.1
Reporter | ||
Updated•16 years ago
|
Flags: in-testsuite+
Comment 8•16 years ago
|
||
Verified on trunk and 1.9.1 with:
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090131 Minefield/3.2a1pre ID:20090131034630
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090201 Minefield/3.2a1pre ID:20090201020604
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20090201 Shiretoko/3.1b3pre ID:20090201033606
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090201 Shiretoko/3.1b3pre Ubiquity/0.1.5 ID:20090201020520
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
OS: Mac OS X → All
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.2a1
Comment 9•16 years ago
|
||
1.9.0 !exploitable report:
PROBABLY_EXPLOITABLE: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gkparser!nsParser::ParseFragment
Flags: blocking1.9.0.11?
Comment 10•16 years ago
|
||
(responding as "private" since comment 9 is private).
This isn't exploitable -- we're calling a virtual function through a guaranteed null pointer. This is a false positive like the one that dveditz pointed out on the s-g list.
Comment 11•16 years ago
|
||
We've taken bug 460437 in the 1.9.0.11 release, we should probably take this regression fix before we ship a release with the problem.
Flags: wanted1.9.0.x+
Whiteboard: [sg:dos] null deref
Updated•16 years ago
|
Keywords: regression
Updated•16 years ago
|
Flags: blocking1.9.0.11? → blocking1.9.0.11+
Assignee | ||
Comment 12•16 years ago
|
||
Attachment #376091 -
Flags: approval1.9.0.11?
Comment 13•16 years ago
|
||
Comment on attachment 376091 [details] [diff] [review]
Patch for 1.9.0 branch
Approved for 1.9.0.11. a=ss for release-drivers
Attachment #376091 -
Flags: approval1.9.0.11? → approval1.9.0.11+
Assignee | ||
Comment 14•16 years ago
|
||
Pushed rev 3.412 of nsParser.cpp to cvs.
Assignee | ||
Updated•16 years ago
|
Keywords: fixed1.9.0.11
Comment 15•16 years ago
|
||
Verified for 1.9.0.11 with my debug build: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.11pre) Gecko/2009051111 GranParadiso/3.0.11pre. No crash.
Keywords: fixed1.9.0.11 → verified1.9.0.11
Updated•14 years ago
|
Crash Signature: [@ nsParser::ParseFragment]
You need to log in
before you can comment on or make changes to this bug.
Description
•